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METHODS FOR GENERATING IDENTIFICATION VALUES FOR IDENTIFYING ELECTRONIC 

MESSAGES 

Technical fi^ld 

5 

The present fnvention generally relates to methods for generating IdentificaWon values for 
identifying electronic messages, the methods relying on hash functions* Embodiments of the 
methods of the invention provide novel hash or MAC (Message Authentication Code) 
functions. More specifically, the Invention provides novel procedures of applying e.g. hash 
10 functions to data blocks derived from a message of any given iength. In one aspect, the 

Invention relates to a method providing an efficient universal hash function based on a deltas- 
universal hash function^ 

Background of t he invention 

15 

Hash and MAC functions are useful for ensuring that the contents of an electronic message as 
received by a recipient Is identical to the contents of the same message as sent by a sender. 
Thus^ if a hash or MAC function outputs the same identification value when the function is 
applied to the sent message as the value generated as an output when the function is applied 
20 to the received message, the contents of the message as received is identical to the contents 
of the message as sent. If, however, the contents of the message have been altered^ the 
hash or MAC function outputs two different Identification values. 

The term ''identification value** may be a hash value or a cryptographic check-sum which 
25 identifies the set of data, cf- for example Applied Cryptography by Bruce Schneler, Second 
Edition, John Wiley & Sons, 1996, in case a cryptographic key Is used as an input for the 
computations, the hash function Is usually referred to as a MAC function (Message 
Authentication Code)« 

30 Various hash and MAC functions have been proposed in the prior art. Procedures for applying 
• such functions to a message, including procedures for breaking the message into blocks for 
processing by such functions, have also been proposed. Fig» 1 illustrates a prior art method 
for generating an identification value for identifying an electronic message, including a 
procedure for breaking a message down into blocks which are processed by hash functions, 

35 The method of Fig. 1 Is generally disclosed in M.N, Wegman and J.L. Carter: New Hash 

Functions and their Use in Authentication and Set Bquaiity, J. Computer and System Sciences 
22, pp, 265-279 (19S1), In this method, an electronic message Is divided into a plurality of 
blocks, for example 5 blocks mi,i..4mi^. As the blocks are to be combined in groups, for 
example as illustrated in Fig. 1 in pairs of two, by application of a hash function, and as 2 

40 does not divide 5, a 6^ block Is appended to the 5 blocks, the 6^^ block simply containing the 
value 0. The 6 btocks are divided into 3 sul:>sets, which are combined by application of the 
hash function h to obtain 3 resulting numbers (or bioclcs} m2.i."m2,3- As 2 does not divide 3, a 
4^^ block containing the value 0 is appended, and the above procedure of combining is 
repeated to obtain m-^^x ^^<i ^"3,2/ which in a final step are combined into output value m4,i. 
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Accordingly, the hash function h is applied repetitively In a tree-structure compression of the 
message, such a repetitive application of a hash function being usually also referred to as a 
^'hash functions The output value of the tree-structure compression may either be used 
directly as a hash value Identifying the original message, or It may be processed further, e.g» 
. 5 by application of a cryptographic function to obtain a MAC value. In Fig. 1, ku etc. denote 
various cryptographic keys that are applied in the hash function h. 

It Is apparent from Fig. 1 that the number of hash computations (i*e. the number of 
applications of the hash function h) in each step is equal to half the number of blocks used as 
10 input In respect of each step, and. If 2 does not divide the number of Input blocks, the 

number of hash computations Is equal to the number of input blocks plus 1 divided by 2, It 
has been found that hash functions require significant computational resources, but so far no 
alternative to appending e.g. a 6* block of data containing the value 0 (as In step 1 of Fig* 
1), which could speed up Identification value generation, has been proposed. 

15 

Summary of the invention 

It Is an object of preferred embodiments of the Invention to provide a method for generating 
an identification value^ which method is capable of processing messages of any length. It is a 
20 further objea of preferred embodiments of the Invention to provide a method which is fast. It 
Is a yet further object of preferred embodiments of the invention to provide a method which 
is memory efficient In the sense that smaller memory resources are occupied than those 
required by prior art methods while maintaining a high processing speed. 

25 In a first aspect, the invention thus provides a method for generating an identification value 
for Identifying an electronic message by application of at least one first hash function with 
fixed compression that compresses n blodcs of data Into a number of blocks which is smaller 
than n or Into one block, the hash function being repetitively applied In a tree^structure 
compression of the message, so that the message is being compressed in a plurality of tree- 

30 structure levels, each level receiving mi input blocks for compression, subscript i denoting a 
; current level In the tree structure, t^e method comprising processing an output of the tree- 
structure compression further to obtain said Identification value, 

the method being characterized in that 

35 

a residual data block is passed without compression from the current level to another, 
. subsequent level In case n does not divide the number of input blocks mj for said current 
level i, 

• 40 Tlie step of applying at least one hash function may comprise applying a plurality of different 
hash functions. The fbced compression may compress the n blocks of data Into more than a 
single block, provided that the compression results in fewer than n blocks. Moreover, the 
fixed compression may result in one or more blocks which have different length(s) than the 
lengths of the n blocks used as an input for the compression. 
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It Will be appreciated that method of the first aspect of the present Invention mainly differs 
from the prior art method discussed above with reference to Fig, 1 In that there is no need to 
- append data blocks of zeros in case the number of subsets does not divide the length of the 
message, and to process such blocks of zeros by a hash function. On the contrary; the 
5 present method may be regarded as a method that leaves the residual bIock(s) unprocessed 
in one step of compressing by means of the hash function (i.e. In one level of the tree 
structure) and moves the residual block(s) one step further to a subsequent step of 
compressing data blocks by means of the hash function (i.e. to a subsequent level of the tree 
stnicture). Thus, hash functions are not applied as often as In the prior art method, whereby 
10 computational resources may be saved and overall proc^slng speed Increased, This will be 
further discussed in connection with the description of Fig. 2 below. 



As mentioned above, the at least one first hash function of the method according to the first 
aspect of the invention, compresses n blocks of data into a smaller number of blocks, such as 

15 • {nto one block. It should be understood that the scope of the appended claims generally 
extends to any fixed compression compressing a set of data of a given length to obtain a 
result of a smaller length* For example, eight data blodcs of a given length may be 
compressed into three blocks of the same length by application of the at least one first hash 
function. This example also falls within the scope of the present ctaims/ as tihe three blocks 

20 resulting from the compression are, in the present context, regarded as one block (which, 
' however, has a length different from the length of each of the three blocks resulting from the 
compression). 

Generaliy, the method according to the first aspect of the Invention provides a method for 
25 generating an Identification value for id€»itifylng an electronic message of any length by 
application of at least one first hash function with Hxed compression that compresses n 
blocks into a number of blocks which Is smaller than n or into one block, the method 
comprising: 

- dividing a set of Input data derived from the message into a plurality of blocks; 
30 - performing a plurality of compression cycles, each rth cycle comprising: 

o Inputting mi input blocks to the cycle, mi denoting the number of Input blocks 
to the I'th cycle; 

o organizing the m{ input blocks Into a plurality of subsets, each subset 

consisting of n blocks; 
35 ' o If n does not divide mi: defining at most n-l residual blocks; 

o combining the blocks of each subset by means of said at least one first hash 

function to obtain a resulting number in respect of each subset; 

- using each resulting number as Input data for a next compression cycles, and 

- using the residual block(s) as a part of said input data for said next cycle or for a further, 
40 subsequent cycle, 

- obtaining, as a result of the plurality of compression cycles, a set of output data which is 
further processed to obtain said identi^cation value. 

In a second aspect, the invention provides a method for generating an Identification value for 
45 Identifying an electronic message by application of at least one first hash function with fixed 
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compression that compresses n blocks of data into a number of blocks which Is smaller than 
n or Into one block, the hash function being repetitively applied in a tree^structure 
compression of the message, so that the message Is being compressed in a plurality of tree- 
structure levels, each level receiving mi input blocks for compression/ subscript I denoting a 
5 current level in the tree structure, the method comprising processing an output of the tree- 
structure compression further to obtain said Identification value, 

the method being characterized In that 

10 It comprises determining whether or not n divides the number of input blocks mi for said 
current level [; and 

if n does divide m^: applying said at least one first hash function myn times; 
If n does not divide mi: 

applying said at least one first hash function at most mjt\ times, whereby at ieast one 
15 residual data block Is left unprocessed by the first hash function; and 

* processing said at least one unprocessed data block by means of an auxiliary hash 
function wh?ch. In one single hash operation^ compresses the at least one 
unprocessed data block Into one single block. 

20 In case the at least one first hash function Is applied less tlian mi/n times, n data blocks may 
be left unprocessed In addition to the at least one residual data block, and the step of 
processing the unprocessed data blocks does In that case preferably comprise processing all 
of the unprocessed data blocks. 

25 It will be appreciated that the method according to the second aspect of the invention 

provides an alternative solution to the above objects of the Invention. Whereas the method of 
• the first aspect of the invention comprises forwarding a residual data block to a subsequent 
level In the tree structure without applying a hash i^nction to the residual block, the method 
according to the second aspect of the Invention takes a different approadi. More specifically, 

30 in a given level of the tree strut^ure, the first hash function Is applied fewer times than the 
truncated value of mr/n, if n does not divide m^ whereby n data blocks and one or more 
residual data blocks are temporarily left unprocessed. For example. If mi equals 27, and n^2, 
then the first hash function may be applied 12 t^mes (trunc{27/2) equals 13, and accordingly 
the first hash function is, in accordance with the second aspect of the invention, applied at 

35 most 12 times). This leaves n^2 data blocks and 1 "^residual data block". I.e. a total of 3 data 
blocks, unprocessed. Finally, these 3 unprocessed data blocks are processed by the second 
hash function which performs 3:1 osmpression. 

Also the mettiod according to the second aspect of the Invention mainly differs l^om the prior 
40 art method discussed above with reference to Fig. 1 in that there is no need to append data 

blocks of zeros In case the number of subsets does not divide the length of the message, and 
. to process such blocks of zeros by a hash function. The present method does instead apply 

the second hash function which compresses more than n blocks Into a single block, so as to 

thereby take Into account that n does not divide mi. Agaln^ hash functions are not applied as 
45 often as In the prior art method, whereby computational resources may be saved and overall 
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processing speed Increased. This win be further discussed In connec±ion with the description 
of Fig, 7 below. 

■ 

The step of applying the at least one fltist hash function less than ml/n times may Include not 
applying the first hash function at all. For example. If 3 data blocks are to be processed, and 
the first hash function would normally perform 2: 1 compression. It would make no sense to . ! 

apply the first hash function to 2 of the 3 blocks to be processed. In this case, 2 data blocks ) 
and one residual data block are left unprocessed by the first hash function, and these three 
data blocks are ttien processed by tJie auxiliary hash function. | 

Iti a third aspect, the invention provides a method for generating an identification value for j 
identifying an electronic message, the method comprising the steps of: • 

- processing at least one block of a set of data (Mi,.,.,Mc„) derived from the message Into a \ \ 
resulting number h by means of a hash function which is at least delta-unh/ersal, 
h=f(Mi,.,., Mm); and j 

- adding a number representation (l^m+i) of a ftirther block of data derived from the 
message to the resutong number to obtain a modified r^ulting number, h'-h+Mm+x; j 

- using the modified resulting number h' further to obtain said Identification value- 

20 Also the method according to the third aspect of the invention differs mainly from the prior 
art method discussed above with reference to Fig, 1 in that there is no need to process all the 
data blocks derived from the message by a hash function. The present method may be 
regarded as a method that only applies a hash function to some of the blocks derived from 
the message, and which performs an addition of non-hashed data blocks to hashed data . , 

25 blocks. In later repetitions of the steps of processing and adding, data blocks which have j 
previously been hashed may become data blocks which are not hashed In such later steps, j 
but which instead are added to other data blocks hashed in such later steps* As a result of 1 
adding data blocks rather than applying hash functions to all the data blocks. Hash functions \ 
are not applied as often as In the prior art method, whereby computational resources may be ; ' 

30 saved and overall processing speed inc^^ased. This will be further discussed In connection ! 
with the description of Figs. 8-10 beIow« 

i 

It will thus be understood ttiat, in all aspects of the Invention, hash functions are not applied 
as often as in the prior art method. As hash functions include non-linear computations, such 
35 as multiplications, which require more computational resources than linear computations, j 
such as additions, substantial computational resources can be saved by reducing the number j 
of applications of hash functions. In preferred embodiments of the invention, the ultimately 
generated identification vatue is a function of all input bits, i.e. of ail bits of the message, so 
. that It Is ensured that the security of the methods is not compromised. 

40 

In the present context, the term message should be understood as any set of digital data, 

such as e-mail, electronic files of any kind, including digital Images, executable files, text 

files, digital sound, video, etc. | 
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As menUoned above, tiie term 'Identification value** may be a hash value or a cryptographic 
check-sum. which identifies the set of data^ cf. for example Applied Cryptography by Bruce 
Schneier, Second Edition^ John Wiley & Sons, 1996. In case a cryptographic key Is used as an 
input for the computations, tfie hash function is usually referred to as a MAC function 
S (Message Authentication Code), 

• In a broad definition, a cryptographic key may be regarded as an Input value for an algorithm 
of a cryptographic system, the key being used for initializing Iterations. 

10 . Herein, the term universal hash function Is to be understood as any function being 

"^universal" by the definition of Carter and Wegman: Universal Classes of Hash Functions, J. 
Computer andSystem Sdences 18, pp. 143-154 (1979), or any function being "'e-almost- 
universal" by the definition of Stinson: Universai Hashing and Authentication Codes, 
"Advances In Cryptology - CRYPTO '91^ Lecture Notes In Computer Science 576, pp. 74-85 

15 (1992), The term delta-universal Is to be understood as any function being '"A-unlversar or 
. ^'e-almost-A-universar by the definition of Stinson: On the connections Jbetv^een universai 
hashing, combinatorlai designs and error<x>rrecting codes, Congr^ssus Numerantium 114, 
pp. 7-27 (1996). 

20 It will be understood that the methods of the first, second and third aspects of the invention 
may be combined in one single application. For example, the method of one of the aspects 
may be applied in respect of selected blodcs or In selected levels In the tree structure, 
• whereas the method of one or two of the other aspect(s) may be applied in respect of other 
biocics or levels. 

25 

The invention also provides computer systems which are programmed to perform the 
methods of the invention as well as computer program products comprising means for 
performing the metiiods of the Invention. 

30- Sri^f d^pcriptjpn of th^ drswjng? 

Rg« 1 illustrates a prior art method as discussed above; 

Figs, 2 and 3 illustrate an embodiment of the method according to the first aspect of the 
35 Invention; 

Fig. 4 illustrates the initial processing of an incoming message M In a method according to 
any of the aspects of the Invention; 

40 Figs. 5 and 6 illustrate fmai processing steps of one embodiment of any of the methods 
according to the Invention; 

Fig, 7 Illustrates an embodiment of the method according to the second aspect of the 
invention; 
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Figs. 8-10 Illustrate an embodiment of the method according to the third aspect of the 
Invention. 

5 

Detailed description of the invention 

w 

In Fig. 2, an electronic message of a given length Is divided Into n«4 blocks ma,i.«mi,4 and 
Into 2 subsets of two blocks each. The subsets are thus defined by mi,i and mi,^; mi,3 and 

10 mi,4. The remaining block mi,5 is hereinafter referred to as residual block mi,5. The first part 
of the indices 1^1; 1,2 etc. denotes a current level in the tree structure, i.e. level 1 in the 
upper row in Fi9« 2, and the second part of the indices represents a block fdentifier^ Le. block 
1, 2 ... 5. The bfocks of each subset are combined by means of hash functions hi, which use a 
first cryptographic key k^. The step of compressing the blocks of each subset results in t^o 

15 • resulting numbers rr\2,u and m2,2/ which subsequently are compressed by means of a hash 

function into a further resulting number m3,i, the hash function using a second cryptographic 
key k^. Rnally^ the residual block mi,5 and resulting number m3,t are compressed by means of 
a hash function into resulting number m4,i, which also constitutes an output. 

20 In accordance with the third aspect of the invention and as described In detail below with 
reference to Rg. 10, the hash funaion hi of Fig- 2 may comprise a delta-universal hash 
function h<ii which is applied to one data blod< at a time only, and to which a second data 
block is added following the processing by the hash function. For example, in Fig. 2, hash 
function hi may be substituted by hash function h^t which uses ms,i as an input and appHes 

23 cryptographic key ki or an alternative cryptographic key kdi. Data block mx,z may then be 
added to the output of hash function h^i. 

Fig. 3 Illustrates a practical api:rilcatlon of the method according to the first aspect of the 
Invention applied to a message which Is divided into 11 blocks mi^.mn. The application of 

30 Fig. 3 utilizes a minimum of memory capacity, as will be described further below. The 

numbered dashed boxes In Flg» 3 indicate the order In which the individual operations of the 
method are performed. Thus, the operations shown In dashed box 1 in the upper left corner 
of Fig. 3 are perfotmed first. More specifically, as a new message Is processed, two Initial 
data blocks mj and ma are compressed by means of a first hash function h, which in the 

35 example shown In Fig. 3 is a key-dependent hash function, e.g. a universal hash function, 
that makes use of cryptographic key k%. The result of the compression is temporarily stored 
in a temporary register (or in a temporary variable) denoted ^Temp", from whidi it Is 
immediately passed on to a buflier variable bt of level 1 of the tree structure. Next, the 
operations of box 2 are performed, whereby data block and m4 are compressed by the 

40 same hash fxinction and the same cryptographic key ki as applied in respect of mi and m2. In 
' alternative embodiments of the Invention, the hash function of box 2 may be different from 
the hash function of box 1, cf. the general discussion of different hash functions set forth 
betow In connection with the description of Figs. 2 and 3. The result of the compression of ms 
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and m4 Is temporarily stored In the "^Temp" register (or variable), this register being available ] 
• now, as Its previous contents has been moved to buffer variable bi, cf . box 1. | 

r 

ft 

• In box 3, buffer variable bi and the ^Temp" variable are compressed by means of hash \ 
5 function h which utilizes cryptographic key k2, i-e. a cryptographic key which Is different from \ 
the cryptographic key ki used in the first level* The result of this compression Is temporarily 
stored In the now available "Temp*' register and passed on to a buffer variable b^ of level 2- 
In boxes 4 and 5, the procedures described above In connection with boxes 1 and 2 are 
repeated, so as to compress input blocks ms^^ma* As the contents of buffer variable bi has * 

10 been utilized In box 3, this buffer variable is available In box 4 for the result of the 

compression of ms and ms. In box 6, the contents of buffer variable bi and the 'Temp" 
register are compressed, the result being temporarily stored In the ^Temp* register and 
immediately thereafter compressed together with the contents of buffer variable b2, cf, box 
7, the result being passed on to the buffer of level 3r b^, via the '^Temp'^ register. Next, as 

15 Illustrated In box 8, input blocks m$ and mio are compressed, the result of the compression ; 
being stone in the '^Temp'^ register and passed on to the bi buffer variable. As the hash 
function h perfonms 2:1 compression, and as no twelfth block Is available for compression \ 
with mil, block mu is simply passed on to the second level of the tree structure by being 
temporarily stored In the ^Temp^ register. In accordance with the first aspect of the 

20 Invention* In box ID, the contents of bi and the contents of the '^Temp" register (I.e- mn) are 
compressed, and the result Is temporarily stored In the '^Temp" register. In respect of the 
compression to be performed in level 3, no fourth block is available which could be 
compressed together with the current contents of the "^Temp" register, and thus, as 

illustrated by box 11, the contents of the ^Temp*" register are passed on to level 4, Finally, in ; 
25 levei 4, the contents of ttie buff&r of level 3, bs, and the ^'Temp" register are compressed to ; 
produce an output, denoted in box 12 as a buffer varlabie of level 4, b4. 1 

* 

From the above discussion of Rg, 3, It will be appreciated that the result of each hash I 
function Is temporarily stored in the 'Temp" register and, rf the buffer variable bj of the level ; 

30 concerned (i.e. levei i) is available, passed directly on to this buffer variable. If the buffer 
variable is not available, then the contents of the "^Temp" register are Immediately 
compressed in the next level i-f 1 together with the contents of the buffer variable bl by 
means of a hash function* This procedure is carried out In respect of each applical^on of hash 
function h (i.e. horizontally in Fig. 3) and in respect of each level of the tree structure (i.e. 

35 vertically in Fig. 3} In the order described above. I.e. in the order revealed by the numbering 
of the dashed boxes of Fig. 3. 

' The memory requirements for performing the procedure of Fig. 3 are minimized, as only one 
. buffer variable b| per level and one single temporary variable are required in order to perf'orm \ 
40 the tree-structure compression of the message. ) 

9 

9 

r 

In accordance with the third aspect of the invention the hash function hi of Fig. 3 may : 
comprise a deita-unlversal hash function lidi which is applied to one data block at a time only,^ \ 
and to which a second data block Is added following the processing by the hash function as i 
45 generally described below in connection with Fig. 10* 1 

i 

\ 
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In Figs. 2 and 3, different cryptographic keys k may be applied In each application of the 

* hash function h. In other wonds^ each time the hash function h is applied, a new 
cryptographic key may be used. Accordingly, In for example level 1 of Rgs. 2 and 3, the keys 

5 ■ denoted ki may not be the same, whereby ki varies horizontally In the tree structure. In 
presently preferred embodiments, one single cryptographic key is, however, used in all 
applications of the hash function h in one single level of the tree structure. In such preferred 
. embodiments, different keys ki, ka,... are applied in different levels of the tree structure, so 
that one sirtgle key ts used In all applications of the hash function h within a single level. 

10 

. The cryptographic keys kx, ka,... may be generated by any appropriate key generation 

* . method. They may thus, for example, define a symmetric or asymmetric key generated by a 
- stream- or block-cipher system. In one embodiment, the keys may be generated as outputs 

of a pseudo-random number generator which receives a seed key as input. In principle, any 
15 sufficiently secure pseudo-^random number generator may be applied^ e.g. the one disclosed 
in WO 03/104969, which is hereby Incorporated by reference. 

It will be understood that any message of any given length may be processed according to 
•the principle described above In connection with Figs, 2 and 3. In Figs, 2 and 3, the number 

20 of bits In the message to be processed is a multiple of the length of each block. However, this 
is not always the case, and in order to process all message lengths, including those which are 
•not a multiple of the block length, the present method may comprise the step of appending a 
set of predefined data to the message, so that the length of the message with the appended 
set of data becomes a multiple of the length of the blocks, as illustrated in Fig. 4« The 

25 Incoming message M is divided into a plurality of blocks, each having a predetermined biock 
length, and a remainder data block of a size smaller than block length. In the example shown 
in Fig. 4, a series of zeros are appended to the remainder data block, whereby t^e remainder 
data block with appended zeros defines a block of the desired predetermined block length, so 
that the message eventually Is spilt into five blocks mi..m5. The message may now be 

3D processed, e.g« as described above In connection with Rgs. 2 or 3. If, In the example of Fig. 
3, it Is determined that there are not sufficient bits available In the incoming message to 
define a full biock mn, the step of appending data to the message would preferably occur at 
ttie time of storing mn (i.e. the remainder data block of the Incoming message with 
appended data) in the 'Temp" register, cf. dashed box 9 in Fig. 3. 

35 

The output of the tree-structure processing Illustrated In Figs. 2 and 3, Le. for example m4,i 
of Fig. 2 and b4 of Fig. 3, is further processed before the IdentlHcation value is generated. In 
order to take the length of the message into account and thereby to ensure that two different 
messages of different lengths result In different identiilcatlon values, a concatenated output 

40 may be generated by appending data which represent the length of the Incoming message, 
as illustrated fn Fig. 5. The data representing L may for example represent the total number 
of bits, bytes or data blocks of the incoming message. This concatenated output may 
- subsequently be compressed by application of a second hash function hz which may 
optionally make use of a cryptographic key kh2/ to produce a compressed concatenated 

45 output. The data representing the length of the message should uniquely Identify the length. 
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• . Accordingly,. In a setup, in which all message lengths are determined as a number of bytes, 
then also the length of the Incoming message which is appended to obtain the concatenated 
output may be determined as a number of bytes. Otherwise, the data representing the length 
. w»] typically represent the number of bits of the message. The length L of the message may I 
5 be known to the system In which the metiiod Is applied before processing In the tree j 
structure (s Initiated, or it may be determined along with such processing. For example, as \ 
the incoming message Is split into blocks mi,i..mi,5, cf. Fig. 2, or mi*.mii, cf» Fig; 3 (in which 
the message is split into blocks successively as the blocks are being processed In the tree- 
structure), the number of bits in the message may be simultaneously counted to obtain a 
10 measure of the length of the message. 

The second hash function hz may be the same function as the first hash function applied In 
the tree structure, or It may be a different hash function. It may be advantageous with 
respect to security (I.e, to minimize the probability that the same Identification value may be 
15 generated In respect of two different messages) to apply a strongly-universal hash function 
as hj. The term strongly-universal Is to be understood as any function being ''strongly- 
universal" or "^E-almost-strongly-univensar' by the definition of stinson: Universal Hashing 
Bnd AutJjentJcation Codes, ''Advances in Cryptology - CRYPTO '91", Lecture Notes in 
Computer Science 576, pp. 74-85 (1992)* 

20 

In Fig. 5, a cryptographic function rs applied to the compressed concatenated output. More 
specifically, a cryptographic key kww: Is bitwise xOR'ed with the compressed output to obtain 
a MAC value as the f^nal identification value Identifying the message. The cryptographic key 
krtAC may be generated by any appropriate key generation method. It may thus, for example, 

25 define a symmetric or asymmetric key generated by a stream-* or block-cipher system. A 

sender and a recipient of the message should posses identical keys kMAc In order for them to 

be able to generate identical Identification values in respect of the same message. In one 

embodiment, the key may be generated as an output of a pseudo<*random number genera1x>r i 

which receives a seed key as input. In principle, any sufficiently secure pseudo-random 

30 number generator may be applied, e.g. the one disclosed In WO 03/104969. 

. It will be understood that embodiments of the method of the invention are envisaged. In | 
which no cryptographic key kwAc Is applied to obtain a MAC vaiue. In such embodiments, the 

identification value may for example be derived as the compressed concatenated output, or > 

35 ■ simply as the output of the tree-structure compression (m4,i in the example of Rg. 2 or b4 In : 

.the example of Fig. 3). In such cases, the identification value would be referred to as a hash \ 

- value, and the overall method would also be referred to as a hash function, despite the fact ] 

that also the individual functions h are also referred to as hash functlons. { 

{ 

' \ 

40 An example of a typical application of a ha^ function (i.e. Identification value generation not | 
involving encryption by XORIng with a cryptographic key k^Ac) Is the Identification of a | 
password used for user log-on to e«g. a server. Instead of transmitting ti^e user's password * | 

via a network, the hash value, i.e. identification value derived from the password, may be f 

• transmitted- A I^AC ftinction is typically applied for Identifying a message, e.g. an e-mail I 

1 
1 

ft 

\ 
1 

\ 

X 

i 
\ 

m 

! 
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message^ sent from a sender to a recipient, both of which posses an appropriate 
cryptographic key. 

* 

Fig. 6 shows one specific way of performing the procedure of Rg. S. In Fig. 6, the 
5 concatenated output is divided Into separate data blocks of a given length. If the length of 
the concatenated output Is not a multiple of the given lengthy a set of predetermined data, 
e.g, a series of zeros, is appended, to define an integer number of blocks, e.g, Ci..Cs In the 
example of Fig. 6. .The blocks C1..C5 are compressed by means of the second hash function ha 
which optionally makes use of a cryptographic key k^a- 

10 

To Improve the quality of the identification value generated by the method according to the 
Invention, l.e« to reduce the probability of the method generating identical values In respect 
of different messages, a further hash function (not shown in the figures) may be applied to 
the output, a further set of data derived from the output, the concatenated output, or the 
15 compressed concatenated output. The further hash function Is particularly relevant in case 
the second hash function hz \s identical to the first hash function h^. The first hash function h| 
may be a function different from the second hash function hz. 

While, in the examples of Figs. 2 and 3, hi is shown as one specific function which is applied 
20 a plurality of times in the tree-structure compression, different functions may be applied. For 
example, two different of the hi hash functions may compress different numbers of bfocks. 
The hi function or functions may compress a variable number of blocks. In one embodiment, 
2:1 compression Is performed in one or more levels of the tree structure, and In other levels 
3: 1 compression is performed. 

25 

Alternatively, In accordance with the second aspect of the invention, various compression 
rates may be applied in one single level of the tree structure. This is illustrated in Fig. 7, in 
, which 2:1 compression Is performed by a first hash function hi on mi,i..mx^4, and 3:1 
compression is performed by an auxiliary hash function hay^ on mi,5.»mi,7 in the first level. In 
3D . the second level, only 3:1 compression is performed. The first hash function hi us^ a first 
cryptographic key kt, and in level 1, the auxiliary hash function uses a first auxiliary 
- cryptographic key kauxi^ and in level 2, the auxiliary hash function uses a second auxiliary key 

kauiCt* 

t 

35 It should be understood that the above description of Figs. 3-6 and the features discussed in 
relation thereto apply equally to the second aspect of the invention. 

• • Rgs. 8-10 Illustrate the method of the third aspect of the invention. The method Is generally 
Illustrated in Rg. 8, wherein data block mi,i derived from a message is processed by a delta- 

40 universal hash function hm which applies a first cryptographic key k^i- Data block mi,2 is then 
added to the number resulting from the delta-universal hash function to obtain a modified 
resulting number rrtz^t which can be used to obtain an Identification value for Identifying the 
message. For example, the modified resulting number mj^i may be applied as illustrated in 
Figs. 5 or 6 by using the modified resulting number as ^Output", to which a representation of 

45 the length L of the message is appended to obtain the concatenated output, which in turn is 
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.* used to obtain the compressed concatenated output, from which the MAC value Is derived, as 
described in connection with Figs. 5 and 6. 

Fig. 9 illustrates a similar embodiment of the method according to the third aspect of the 
. .5 inventton, in which the incoming message Is divided into four blocks mi,i..mi,4/ three of which 
- . . . are compressed by application of an alternative delta-universal hash function hdi/ which 

applies one or more cryptographic keys ICd^. The fourth block is added to the number resulting 
from the hash function h^z to obtain a modified resulting number ma,a which may be 
processed to obtain an Identification value as described above in connection with Fi9« 8 and 
10 Figs. 5 and 6. 



Fig. 10 Illustrates yet another embodiment of the method of the third aspect of the Invention, 
In this embodiment, the method Is applied In a tree structure of the type described above in 
connection with Figs. 2 and 3, In which the message is compressed In a plurality of tree- 

15 structure levels. In a first level of the tree structure. Incoming data block m^^ is processed by 
a first delta-universal hash function hdi, and Incoming data block mj,2 added to the 
resulting number of hdi to obtain m^^, which. In a second level of the tree structure. Is 
processed by hash fUn<^ion hdi* Incoming blocks mi^s and mi,4 are processed likewise in the 
first level to obtain ma,2/ and in the second level m2,2 Is added to the number resulting from 

20 hash function hdi applied to m2.i, and ma,^ is obtained. Incoming data block mt,s Is passed 
from the first to the third level without processing thereof, as depicted In Fig. 10, in which 
the data block is referred to as m^^a In the second level and as mg^z In the third level for the 
sake of clarity. In the third level in the tree structure, the hash nincQon hdi Is applied to ms^, 
and TDs^z (i.e. mi^s) is added to the resulting number to obtain m^^, from which the 

25 identification value can be derived as described above in connection with Ftg. S and Figs. 5 
and 6. 

It will be understood that the delta-universal hash function defined In connection with the 
third aspect of the invention, embodiments of which are described with reference to Figs. 8- 
30 . 10, may be applied in the first and second aspect of the invention. For example, the so-caiied 

• • first hash function h^ of the method according to the first and second aspect of the Invention 
•• may comprise the delta- universal hash function hdi and the subsequent step of adding a data 
. block to the number resulting from the delta-universal hash function hdi^ In other words, in 

one embodiment, the method of Fig. 2 Is Identical to the method of Fig« 10. Likewise, in 
35 dashed box No; 1 of Fig* 1, hash function hj may comprise the application of a delta- 
universal hash function hdi to incoming data block mi and subsequent addition of incoming 

* data block m^ to the number resulting from the delta-unh/ersal hash fundiion to obtain the 
result of the compression to be store in the temporary register "^Temp". 
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CLAIMS 

I- 
t 

1. A method for generatfng an fdentlfJcatlon value for identifying an electronic message by i 
' applicaUon of at least one first hash function with fixed compression that compresses n i 
5 . blocks of data fnto a number of blocks which Is smaller than n or into one single blocks the j 
~' hash function being repetitively applied In a tree-structure compression of the message, so 1 
. that the message is being compressed In a plurality of tree-structure levels, each level I 
receiving mj input blocks for compression, subscript I denoting a current level In the tree 
.structure, the method comprising processing an output of the tree-structure compression 
10 ftirther to obtain said Identification value, 
characterized in that 

■ 

a residual data b!ock Is passed without compression from the current level to another, 
subsequent level in case n does not divide the number of Input blocks mi for said current 
level i. 

15 

2* A method according to claim 1, further comprising the step of appending a set of 

predefined data to the message, so that the length of the message with the appended set of \ 
data becomes a multiple of the length of the blocks. 

20 3. A method according to dalm 1 or 2, wherein the tree-structure compression Is performed 
until the number of blocks Is less than 

• 4« A method according to claim 3, flir^er comprising the step of concatenating the output 
with data which represent a length L of the message to obtain a concatenated output, the 
25 length L representing the lengtti of the message without said appended set of data. 

« 

w 

5. A method according to claim 4, wherein a hash function 1$ applied to the concatenated 
output to obtain a compressed concatenated output, said hash function being one of: 

- the at least one first hash function; and ■ 
30 - a second hash function, 

■ 

. 6. A method according to any of the preceding claims, further comprising applying a further 
hash function to at least one of: 

- said output, j 
35 - a further set of data derived from said output, I 

- said concatenated output, and 1 

- said compressed concatenated output. 

7. A method according to any of the preceding claims, further comprising applying a j 
40 cryptographic funaion to said output or to a further set of data derived from said output, • | 

\ 

8» A method according to any of the preceding claims, wherein at least one of: j 

- said at least one first hash function; I 

• 

* said second hash Ixinction; and | 
45 - said further hash function | 

* 

I 

i 
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. . * makes use of at least one cryptographic key. 



30 16. A method according to any of claims 13-15, wherein the different hash functions use 
different cryptographic keys. 

17. A method according to any of claims 8-16, comprising perfbnmfng a plurality of tree- 
structure compressions of the message to obtain a plurality of results, and concatenating the 
35 plurality of results Into a concatenated result. 

w ■ 

IS, A method according to claim 17, wherein different cryptographic keys are applied in the 
plurality of tree-structure compressions. 

40 • - 19, A method according -to claim 17, wherein partly identical cryptographic keys are applied 
In the plurality of tree-structure compressions. 



» • <■ 



20, A computer system comprising a memory and a processor, the processor being 
programmed to carry out the method of any of claims 1-19. 



9. A method according to claim 8, wherein different cryptographic keys for the at least one 
first hash function are used in di^erent levels of the tree structure, 

10. A method according to claim 8 or 9, wherein different cryptographic keys are used in one 
level of the tree structure. 

- ' . 11. A method according to claim 8 or 9, wherein the same cryptographic key is used in a 
10' single level of the tree structure. 

■ 

' 12. A method according to any of the preceding Claims, wherein at least one of: 

- said first hash function; 

- said second hash function; and ' 
15 - said further hash function j 

Is a universal hash function. 1 

i 
I 

13. A method according to any of the preceding claims, wherein at least one of: 

- said at least one first hash function; 
20 - said second hash function; and 

- said further hash function 

• comprises at feast two'different hash functions. : 

■ 

• 14, A method according to claim 13, wherein the at least two different hash functions 
25 compress different numbers n of blocks. ! 



1 



15. A method according to claim 13 or 14, wherein at least one of the at least two diflerent i 
hash functions compresses a variable number n of Uocks. 
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21. A computer program product comprising means for performing the method of any of 
"claims 1-19. 

' 22* A method for generating an identification value for identifying an electronic message by 
•5 . application of at least one first hash function with fixed compression that compresses n 
' .blocks of data into a number of bloclcs which is smaller than n or Into one single blocic, the 
' . hash function being repetitively applied in a tree-structure compression of the message, so 
that the message is being compressed in a plurality of tree-structure levels, each level 
' receiving mi input blocks for compression, subscript i denoting a current level In the tree 
10 ♦ -structure, the method comprising processing an output of the tree-structure compression 
further to obtain said identification value, 
characterized in that 

the method comprises determining whether or not n divides the number of input blocks mi for 
said current level i; and 
15 if n does divide mt: applying said at least one first hash function mi/n times; 
if n does not divide mt: 

. - applying said at least one first hash function at most mf/n times, whereby at least one 

residual data block is left unprocessed by the first hash function; and 
^ processing said at least one unprocessed data block by means of an auxiliary hash 
20 - function which. In one single hash operation, rampresses the at least one 

. unprocessed data block into one single block. 

23. A method according to claim 22, further comprising the step of appending a set of 
predefined data to the message, so that the length of the message with the appended set of 
25 . data becomes a multiple of the length of the blocks. 

. . 24, A method afxording to claim 22 or 23, wherein the tree-structure compression is 
. performed until the number of blocks is less than n. 

30 * 25. A method according to claim 24, further comprising the step of concatenating the output 
•with data which represent a length L of the message to obtain a concatenated output, the 
length L representing the length of the message without sard appended set of data. 

■ 26. A method according to claim 25, wherein a hash function is applied to the concatenated 
' 35 . output to obtain a compressed concatenated output, said hash function being one of: 
• the at least one first hash function; and 

- a second hash function. 

•27. A method according to any of claims 22-26, further comprising applying a further hash 
40 function to at least one of: 
*^ said output, 

- a further set of data derived from said output, 

- said concatenated output, and 

- said compressed concatenated output. 

45 
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28, A method according to any of datms 22-27, further comprising applying a cryptographic 
function to said output or to a further set of data derived from said output. 

29* A method according to any of daims 22-28, wherein at least one of: 
5 - said at least one first hash function; 

- said second hash function; and 
. - said further hash function 

. makes use of at least one cryptographic key. 

. 10 30, A method according to daim 29, wherein different cryptographic keys for the at least one 
first hash function are used in different levels of the tree structure. 

» 

31. A method according to claim 29 or 30, wherein different cryptographic keys are used In 
one level of the tree structure. 

15 

32. A method according to claim 29 or 30, wherein the same cryptographic key is used in a 
single level of the tree structure. 

33. A method according to any of claims 22-32^ wherein at least one of: 
20 - said first hash function; 

- said second hash function; and 
*- said further hash function 

Is a universal hash function. 

25 34« A method according to any of daims 22-33, wherein at least one of: 

- said at least one first hash function; 

- sard second hash function^ and 

- said fiirljher hash function 

comprises at least two different hash functions. 

30 

35. A method according to claim 34, wherein the at least two different hash functions 
compress different numbers n of blocks, 

36. A method according to claim 34 or 35, wherein at least one of the at least two different 
35 hash functions compresses a variable number n of blocks* 

37. A method according to any of daims 34-36, wherein the different hash functions use 
different cryptographic keys« 

•40 38, A method according to any of claims 29-37, comprising performing a plurality of tree- 
. structure compressions of the message to obtain a plurality of results, and concatenating the 
plurality of results into a concatenated result* 

39. A method according to claim 38, wherein different cryptographic keys are applied in the 
4S plurality of tree-structure compressions. 
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• 40. A method according to daim 38, wherein partly identical crvfptographic keys are applied 
in the plurality of tree-structure compressions. 

.5 41, A ojmputer system comprising a memory and a processor, the processor being 
programmed to carry out the method of any of claims 22'-40. 



42, A computer program product comprising means for performing the method of any of 
claims 22-40. 



43, A method for generating an identification value for identifying an electronic message, the 
method comprising the steps of: 

- processing at least one block of a set of data derived from the message Into a resulting 
number by means of a hash function which is at least delta-universal; and 
15 - adding a number representation of a further block of data derived from the message to 
the resulting number to obtain a modified resulting number;. 
* - using the modified resulting number further to obtain said identification value, 

. 44* A method according to claim 43^ wherein the hash function operates on a single blod< of 
20 data only, 

45, A method according to daim 43 or 44, wherein the delta-unlversat hash function is 
repetitively applied In a tree^stiucture compression of the message^ so that the message is 
being compressed in a plurality of tree-structure levels^ each tree-structure receiving mj Input 

25 blocks for compression, the delta-universal hash function and the subsequent step of adding 
performing a compression of n data blocks Into one single data block, 

46, A method according to daim 45, wherein a residual data biod< Is passed without 
processing thereof from a current level to another subsequent level in case n does not divide 

30 the number of input blocks mi for said current level i. 

47, A method according to any of claims 43-46, wherein the modified resulting number Is 
determined by the function: 

(mi+k mod 2^^)-(LSR(mi,32)+LSR(k,32) mod 2*^)+m2 mod 2^, 
.35 where m^ and mi denote two of said blocks of data, LSR(x,y) denotes a loglcal-shlft-rlght by 
y bits of input x, and k denotes a cryptographic key, whereby mx, mz and k are represented 
as 64 bit unsigned integers. 

48, A computer system comprising a memory and a processor, the processor being 
40 • programmed to carry out the method of any of claims 43-47, 

49, A computer program produd: comprising means for performing the method of any of 
claims 43-47. 
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